Joomla Security Tips 101

Hackers enjoy the “low hanging fruit.” Sophisticated hackers know the benefit of pivoting off of compromised sites and servers to launch their attacks.

Security is huge and should be on every webmaster's mind. Joomla sites, just like any other site out there, can be at risk from hackers. In this post I'll teach you some of the tactics that hackers use to get into your Joomla site and how you can protect them by using very simple methods.

1. You are only as secure as you want to be

Unfortunately, there is never a 100% guarantee with making your website secure. All you can really do is mitigate your risk. But it is up to YOU on how you decide to protect yourself. You can implement things like Intrusion Detection Systems, aka IDS, Web Application Firewalls, event logging and regular vulnerability assessments through vulnerability scanning. The list can grow on and on.

Hackers enjoy the “low hanging fruit.” Sophisticated hackers know the benefit of pivoting off of compromised sites and servers to launch their attacks. It adds in an extra challenge for security teams to find the true culprit of the attack. Don’t give these guys the satisfaction of using your site to do their hacking. It might take time to figure out what security measures will work best for you and your company but something is always better than nothing.

2. Your theme/extensions may betray you

Do you really know what files are in your Joomla theme? Vulnerabilities can be found in the most unlikely of locations. Back in 2009 there was a disclosed vulnerability with how a user could take advantage of a parameter in the Yootheme Warp 5 Framework (this has since been patched). Let's look at the following made up example:

Through the yt_color parameter we were able to pass through some Cross Site Scripting aka XSS. Many of you might be thinking, “Cool, you just made a pop-up window. Whoop de doo!” But through cross site scripting vulnerabilities you have the potential of performing Remote File Includes, Local File Includes, Stealing Cookies, and the list can go on.

Many companies will (hopefully quickly) release patches to fix these security flaws so that their customer's data can be kept safe. It is in your best interest to keep up with the company you have purchased your theme or extension from to see if there are new updates or patches available. Got questions, I cover this topic and many other ones so if you have questions, contact me!

3. Advantage of a beta or a stage site

A common fear among developers is that an update will break the functionality of their site. Whether it be an update to Joomla, extension, or theme, many are reluctant to update, or to the other extreme developers will push out updates and end up breaking their site and then attempt to roll back their site to a functional state. It is very simple to create a beta or a stage site using VMWare, Virtualbox or any other virtualization software. This way you can check any updates easily without rolling it into production and have the ability to test whether or not the update will adversely affect your website.

I once did some consulting work for a large corporation where one of their development teams made a major roll out to their core infrastructure. It was company policy to push the updates out to their stage site before pushing it into production. A person on the team decided to push the update to the stage site and to production at the same time. Turns out the update broke both sites and there was no chance for redundancy. For the next 4 hours on a Friday evening they spent time fixing the issue. If only the developers would have pushed it to the stage environment first they could have seen how it was going to affect the corporation, then they would have been able to know how to make the changes and fixes without being in “crisis mode.”

CEO of NetHosting, Lane Livingston said at Hostingcon last year "It's the small things in outside of beta that get us", speaking of people that often put things live on their site instead of putting up a beta or stage site to demo things. Later stating "Some of the easiest ways to get into a site are found when a webmaster doesn't test things before going live."

Conclusion

We can take more responsibility in the creation of our websites. We can implement better practices and procedures to demystify what is deemed as hacking, a security compromises or even being the cause of bringing down our own websites indirectly. Security needs to be seen in today’s world as a cost of doing business. Joomla has a great introduction on how you can begin to implement better security on your website at http://docs.joomla.org/Security and my favorite the Top 10 Stupid Administrator Tricks at http://docs.joomla.org/Top_10_Stupidest_Administrator_Tricks.